Java Security: Oracle Issues Half Measure Fix, Mac Users Shrug

Oracle has released an emergency update for Java 7 that fixes two vulnerabilities and also changes Java’s security settings to “high” by default, which makes it more difficult for Java apps, legit or evil, to run automatically. However, Java security experts are saying the patch doesn’t go far enough, leaving hundreds of millions of computers potentially exposed, and that users should disable Java.

“The safest thing to do at this point is just assume that Java is always going to be vulnerable,” said HD Moore, chief security officer, Rapid7. “Folks don’t really need Java on their desktop.”

Thereupon, if you need to use Java, get the Java 7 update from Oracle and enable it on an as needed basis.

Java Security: Safer Is as Safer Does

For the vast majority of Mac users — those running OS X 10.6, 10.7 and 10.8 — Apple’s integrated XProtect security feature obviates this latest Java exploit. A background push update sent to users on Thursday, January 10, prevents a Mac from automatically running Java apps until a still unreleased and, one presumes, secure version of Java has been installed.

To get Oracle’s latest patch on a Mac, go to System Preferences > Java > Update and then click Update Now. You can enable or disable Java by going to Safari > Preferences > Security and unchecking Enable Java.

Windows PC users need to jump through a few more hoops: Windows XP, Vista and Windows 7 > Click Start > Control Panel, type Java in the Search Control Panel located in the upper right corner. Next, launch the Java Control Panel by double-clicking on the Java icon and, when the Java Control Panel appears, click the Update tab and follow the onscreen directions.

PC users can enable or disable Java via the Java Control Panel.

That said, Java usage has been falling for years and this latest vulnerabilities and resulting kerfuffle will serve to hasten Java’s decline. Ultimately, the best way to prevent Java security issues on your PC or Mac is to uninstall it…